Topics

Featured in Development

Peter Alvaro talks about the reasons one should engage in language design and why many of us would (or should) do something so perverse as to design a language that no one will ever use. He shares some of the extreme and sometimes obnoxious opinions that guided his design process.

Featured in AI, ML & Data Engineering

Today on The InfoQ Podcast, Wes talks with Katharine Jarmul about privacy and fairness in machine learning algorithms. Jarul discusses what’s meant by Ethical Machine Learning and some things to consider when working towards achieving fairness. Jarmul is the co-founder at KIProtect a machine learning security and privacy firm based in Germany and is one of the three keynote speakers at QCon.ai.

GitHub’s security alerts notify repository admins when library vulnerabilities from the Common Vulnerabilities and Exposures (CVEs) list are detected in their repositories. CVE is a list of entries—each containing an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities. This gives administrators a precious "heads up" to react promptly and fix the vulnerability by removing the vulnerable dependency or moving to a secure version.

According to GitHub, nearly half of all displayed alerts are responded to within a week and the rate of vulnerabilities resolved in the first seven days has been about 30%. However, when that statistics is restricted to only repositories with recent contributions, i.e., contributions in the last 90 days, things look even brighter, GitHub says, with 98% of such repositories being patched in fewer than seven days. Overall, more than four million vulnerabilities in over 500,000 repositories have been reported.

All public repositories are scanned for vulnerabilities, while only private repositories with their dependency graph enabled are scanned. For each found vulnerability, the repo admin is presented not only with general information about the issue, but also with its severity level and resolution steps. If safe version of a given dependency is not known, GitHub will attempt to recommend a similar, safe dependency to use in place of the unsafe one.

Security notifications can be delivered in several ways: displaying an alert, among other notifications, or via email. In addition to being sent an email each time a vulnerability is found, GitHub has recently introduced a weekly digest email which includes a summary of up to 10 repositories vulnerability alerts.

As mentioned, security alerts are only currently supported for repositories written in Ruby or JavaScript, while support for Python is planned for 2018.